beautypg.com

Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 166

background image

146

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002923-01

Steps for connecting to an SKM or ESKM appliance

3

The following example creates the encryption group “brocade”.

SecurityAdmin:switch> cryptocfg --create -encgroup brocade

Encryption group create status: Operation Succeeded.

The switch on which you create the encryption group becomes the designated group leader. Once
you have created an encryption group, all group-wide configurations, including key vault
configuration, adding member nodes, configuring failover policy settings, and setting up storage
devices, as well as all encryption management operations, are performed on the group leader.

3. Set the key vault type for SKM/ESKM by entering the cryptocfg

--

set

-

keyvault command.

Successful execution sets the key vault type for the entire encryption group. The following
example sets the key vault type to SKM, which is the selection also used for ESKM.

SecurityAdmin:switch> cryptocfg --set -keyvault SKM

Set key vault status: Operation Succeeded.

4. Import the CA certificate from the download location used when

“Downloading the local CA

certificate”

on page 138, and register SKM as the key vault. The group leader automatically

shares this information with other group members.

SecurityAdmin:switch> cryptocfg --import -scp

SecurityAdmin:switch> cryptocfg --reg -keyvault

primary

At this point, it may take around one minute to fully configure the switch with SKM/ESKM.

5. As the switches come up, enable the encryption engines.

SecurityAdmin:switch> cryptocfg --enableEE

Operation succeeded.

6. Use the cryptocfg

--

show groupcfg command to verify that the key vault state is Connected.

Mace_127:admin> cryptocg --show groupcfg

rbash: cryptocg: command not found

Mace_127:admin> cryptocfg --show -groupcfg

Encryption Group Name: mace127_mace129

Failback mode: Auto

Replication mode: Disabled

Heartbeat misses: 3

Heartbeat timeout: 2

Key Vault Type: SKM

System Card: Disabled

Primary Key Vault:

IP address: 10.32.53.55

Certificate ID: Brocade

Certificate label: skmcert

State: Connected

Type: SKM

Secondary Key Vault not configured

Additional Key Vault/Cluster Information:

Key Vault/CA Certificate Validity: Yes

Port for Key Vault Connection: 9000

Time of Day on Key Server: 2010-03-17 17:51:31

See also other documents in the category Brocade Computer Accessories: